On 2/8/17 12:40 PM, David Ahern wrote: > On 2/8/17 3:52 AM, Daniel Borkmann wrote: >> for cBPF dumps it looks like this in ss. Can you tell me what these >> 11 insns do? Likely you can, but can a normal admin? >> >> # ss -0 -b >> Netid Recv-Q Send-Q Local >> Address:Port Peer >> Address:Port >> p_raw 0 0 >> *:em1 * >> bpf filter (11): 0x28 0 0 12, 0x15 0 8 2048, 0x30 0 0 23, 0x15 0 6 >> 17, 0x28 0 0 20, 0x45 4 0 8191, 0xb1 0 0 14, 0x48 0 0 16, 0x15 0 1 68, >> 0x06 0 0 4294967295, 0x06 0 0 0, > ...
> > It's not rocket science. We should be able to write tools that do the > same for bpf as objdump does for assembly. It is a matter of someone > having the need and taking the initiative. BTW, the bpf option was added Just a couple of hours of hacking this afternoon and leveraging some of the verifier code in the kernel, the above bpf filter in more human friendly terms: BPF_LD | BPF_ABS | BPF_H 0xc : val = *(u16 *)skb[12] BPF_JMP | BPF_JEQ | BPF_K 0 8 0x800 : if !(val == 0x800) goto pc+8 BPF_LD | BPF_ABS | BPF_B 0x17 : val = *(u8 *)skb[23] BPF_JMP | BPF_JEQ | BPF_K 0 6 0x11 : if !(val == 0x11) goto pc+6 BPF_LD | BPF_ABS | BPF_H 0x14 : val = *(u16 *)skb[20] BPF_JMP | BPF_JSET | BPF_K 4 0 0x1fff : if ((val & 0x1fff) != 0) goto pc+4 BPF_LDX | BPF_MSH | BPF_B 0xe : BPF_LD | BPF_IND | BPF_H 0x10 : val = *(u16 *)skb[16] BPF_JMP | BPF_JEQ | BPF_K 0 1 0x44 : if !(val == 0x44) goto pc+1 BPF_RET ffffffff : ret ffffffff BPF_RET 0 : ret 0 (long lines so I chopped the reprint of the hex on the left) That said, verifying that the program attached to a cgroup is correct for a VRF does not require it to be pretty printed or viewed by humans. I can automate the checks on namespace id and and device index.
